I inherited a moderately large sized code base that makes extensive use of mysql_fetch_assoc and mysql_fetch_object, and doesn’t have any security precautions preventing SQL injection. I decided that this was a Very Bad ThingTM that needed fixing.
Initially, I intended on moving to mysqli prepare/bind_param/execute statements to handle DB queries. However, the following does not work:
$stmt = $GLOBALS['db']->prepare('SELECT * FROM Users WHERE Username=?');
$stmt->bind_param('s', $username);
$stmt->execute();
// Somehow retrieve the fetched row as an object (Doesn't work!)
return $stmt->fetch_assoc();
Question 1: Is there a way to use fetch_assoc or fetch_object using prepare/bind? I can refactor all the code, but it would be messy and take a very long time.
Question 2: If it is not possible to do this, is it just as effective from a security standpoint to use mysqli_query(), provided all inputs are properly escaped via mysql_real_escape_string()? Do you have any other suggestions?
$row = $stmt->fetch(PDO::FETCH_ASSOC)Ref: http://php.net/manual/en/pdostatement.fetch.phpYou can use mysqli if you want. As long as you use the real_escape_string functions on ALL user data (including your own) that’s going into SQL statements, then it’s no less secure than using prepared statements – it’s just much easier to miss a post and leave a hole open.